fix: use custom HTTP server (#265)

This switches from `vercel/serve-handler` to a custom local HTTP static web server.

Author: JustinBeckwith

package-lock.json

@@ -23,24 +23,26 @@
   "dependencies": {
     "chalk": "^4.0.0",
     "cheerio": "^1.0.0-rc.5",
+    "escape-html": "^1.0.3",
     "gaxios": "^4.0.0",
     "glob": "^7.1.6",
     "jsonexport": "^3.0.0",
     "marked": "^1.2.5",
     "meow": "^9.0.0",
-    "serve-handler": "^6.1.3",
+    "mime": "^2.5.0",
     "server-destroy": "^1.0.1",
     "update-notifier": "^5.0.0"
   },
   "devDependencies": {
     "@types/chai": "^4.2.7",
     "@types/cheerio": "0.22.23",
+    "@types/escape-html": "^1.0.0",
     "@types/glob": "^7.1.3",
     "@types/marked": "^1.2.0",
     "@types/meow": "^5.0.0",
+    "@types/mime": "^2.0.3",
     "@types/mocha": "^8.0.0",
     "@types/node": "^12.7.12",
-    "@types/serve-handler": "^6.1.0",
     "@types/server-destroy": "^1.0.0",
     "@types/sinon": "^9.0.0",
     "@types/update-notifier": "^5.0.0",

package.json

@@ -1,12 +1,15 @@
 import * as http from 'http';
 import * as path from 'path';
-import * as util from 'util';
 import * as fs from 'fs';
+import {promisify} from 'util';
 import * as marked from 'marked';
-import serve = require('serve-handler');
+import * as mime from 'mime';
+import escape = require('escape-html');
 import enableDestroy = require('server-destroy');
 
-const readFile = util.promisify(fs.readFile);
+const readFile = promisify(fs.readFile);
+const stat = promisify(fs.stat);
+const readdir = promisify(fs.readdir);
 
 export interface WebServerOptions {
   // The local path that should be mounted as a static web server
@@ -25,30 +28,89 @@ export interface WebServerOptions {
  * @returns Promise that resolves with the instance of the HTTP server
  */
 export async function startWebServer(options: WebServerOptions) {
+  const root = path.resolve(options.root);
   return new Promise<http.Server>((resolve, reject) => {
     const server = http
-      .createServer(async (req, res) => {
-        const pathParts = req.url!.split('/').filter(x => !!x);
-        if (pathParts.length > 0) {
-          const ext = path.extname(pathParts[pathParts.length - 1]);
-          if (options.markdown && ext.toLowerCase() === '.md') {
-            const filePath = path.join(path.resolve(options.root), req.url!);
-            const data = await readFile(filePath, {encoding: 'utf-8'});
-            const result = marked(data, {gfm: true});
-            res.writeHead(200, {
-              'content-type': 'text/html',
-            });
-            res.end(result);
-            return;
-          }
-        }
-        return serve(req, res, {
-          public: options.root,
-          directoryListing: options.directoryListing,
-        });
-      })
+      .createServer((req, res) => handleRequest(req, res, root, options))
       .listen(options.port, () => resolve(server))
       .on('error', reject);
     enableDestroy(server);
   });
 }
+
+async function handleRequest(
+  req: http.IncomingMessage,
+  res: http.ServerResponse,
+  root: string,
+  options: WebServerOptions
+) {
+  const pathParts = req.url?.split('/') || [];
+  const originalPath = path.join(root, ...pathParts);
+  if (req.url?.endsWith('/')) {
+    pathParts.push('index.html');
+  }
+  const localPath = path.join(root, ...pathParts);
+  if (!localPath.startsWith(root)) {
+    res.writeHead(500);
+    res.end();
+    return;
+  }
+  const maybeListing =
+    options.directoryListing && localPath.endsWith(`${path.sep}index.html`);
+
+  try {
+    const stats = await stat(localPath);
+    const isDirectory = stats.isDirectory();
+    if (isDirectory) {
+      // this means we got a path with no / at the end!
+      const doc = "<html><body>Redirectin'</body></html>";
+      res.statusCode = 301;
+      res.setHeader('Content-Type', 'text/html; charset=UTF-8');
+      res.setHeader('Content-Length', Buffer.byteLength(doc));
+      res.setHeader('Location', req.url + '/');
+      res.end(doc);
+      return;
+    }
+  } catch (err) {
+    if (!maybeListing) {
+      return return404(res, err);
+    }
+  }
+
+  try {
+    let data = await readFile(localPath, {encoding: 'utf8'});
+    let mimeType = mime.getType(localPath);
+    const isMarkdown = req.url?.toLocaleLowerCase().endsWith('.md');
+    if (isMarkdown && options.markdown) {
+      data = marked(data, {gfm: true});
+      mimeType = 'text/html; charset=UTF-8';
+    }
+    res.setHeader('Content-Type', mimeType!);
+    res.setHeader('Content-Length', Buffer.byteLength(data));
+    res.writeHead(200);
+    res.end(data);
+  } catch (err) {
+    if (maybeListing) {
+      try {
+        const files = await readdir(originalPath);
+        const fileList = files
+          .filter(f => escape(f))
+          .map(f => `<li><a href="${f}">${f}</a></li>`)
+          .join('\r\n');
+        const data = `<html><body><ul>${fileList}</ul></body></html>`;
+        res.writeHead(200);
+        res.end(data);
+        return;
+      } catch (err) {
+        return return404(res, err);
+      }
+    } else {
+      return return404(res, err);
+    }
+  }
+}
+
+function return404(res: http.ServerResponse, err: Error) {
+  res.writeHead(404);
+  res.end(JSON.stringify(err));
+}

src/server.ts

@@ -0,0 +1,5 @@
+<html>
+  <body>
+    hello
+  </body>
+</html>

test/fixtures/server/5.0/index.html

@@ -0,0 +1,5 @@
+<html>
+  <body>
+    hello
+  </body>
+</html>

test/fixtures/server/bag/bag.html

@@ -0,0 +1,5 @@
+<html>
+  <body>
+    hello
+  </body>
+</html>

test/fixtures/server/index.html

@@ -0,0 +1 @@
+alert('ohai');

test/fixtures/server/script.js

@@ -0,0 +1,5 @@
+<html>
+  <body>
+    hello
+  </body>
+</html>

test/fixtures/server/test.html

@@ -0,0 +1,64 @@
+import * as assert from 'assert';
+import {describe, it, before, after} from 'mocha';
+import {startWebServer} from '../src/server';
+import {Server} from 'http';
+import {request} from 'gaxios';
+import * as fs from 'fs';
+
+describe('server', () => {
+  let server: Server;
+  const port = 5000 + Math.round(Math.random() * 1000);
+  const rootUrl = `http://localhost:${port}`;
+  const contents = fs.readFileSync('test/fixtures/server/index.html', 'utf-8');
+  before(async () => {
+    server = await startWebServer({
+      port,
+      directoryListing: true,
+      markdown: true,
+      root: 'test/fixtures/server',
+    });
+  });
+  after(() => server.destroy());
+
+  it('should serve basic file', async () => {
+    const url = rootUrl;
+    const res = await request({url});
+    assert.strictEqual(res.data, contents);
+    const expectedContentType = 'text/html';
+    assert.strictEqual(res.headers['content-type'], expectedContentType);
+  });
+
+  it('should show a directory listing if asked nicely', async () => {
+    const url = `${rootUrl}/bag/`;
+    const res = await request({url});
+    const expected =
+      '<html><body><ul><li><a href="bag.html">bag.html</a></li></ul></body></html>';
+    assert.strictEqual(res.data, expected);
+  });
+
+  it('should serve correct mime type', async () => {
+    const url = `${rootUrl}/script.js`;
+    const res = await request({url});
+    const expectedContentType = 'application/javascript';
+    assert.strictEqual(res.headers['content-type'], expectedContentType);
+  });
+
+  it('should protect against path escape attacks', async () => {
+    const url = `${rootUrl}/../../etc/passwd`;
+    const res = await request({url, validateStatus: () => true});
+    assert.strictEqual(res.status, 500);
+  });
+
+  it('should return a 404 for missing paths', async () => {
+    const url = `${rootUrl}/does/not/exist`;
+    const res = await request({url, validateStatus: () => true});
+    assert.strictEqual(res.status, 404);
+  });
+
+  it('should work with directories with a .', async () => {
+    const url = `${rootUrl}/5.0/`;
+    const res = await request({url});
+    assert.strictEqual(res.status, 200);
+    assert.strictEqual(res.data, contents);
+  });
+});